SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -12

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) What is the difference between VIRSA Tool and GRC, and does VIRSA tool support to ECC6.0? & what is GRC? & what is SAP VIRSA Tool ?

Governance, Risk, and Compliance (GRC). The goal of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business. This means Ethical Business Process should comply with Effective Process controls as per the related industry Business Process and accounting Process and Govt Policy .This GRC process finally Can Concluded with respect to Govt Organizations and Public Organization which are Registered in Local Stock Markets are accountable to have Effective Governance and Process Controls to Protect the Share holder rights and Prevent Organized Corporate Frauds and scams. GRC Tools and IT applications
There are many GRC AUDIT tools in the Market to Facilitate Internal and External Audit of the Companies.

Q) What is SAP VIRSA Tool ?

 1) Access controls, 2) Process Controls.
It Has 4 Sections to Audit the system.
1. Compliance Calibrator
2. Role Expert
3. Firefighter
4. Access enforcer.
VIRSA system is now taken over by SAP AG. It has been a part of Netwever and add on now.
VIRSA produced a number of tools, most commonly used was Compliance Calibrator.
SAP acquired VIRSA and integrated their tools into its GRC suite of products which have a wider span than the VIRSA products.
You can use the VIRSA tools in ECC6.  As the company no longer sells these products it is an easy way to tell if a candidate does not understand the GRC topic by them referring to when they mean SAP GRC.
GRC as a subject has been hijacked by SAP's use of the term, real GRC is much wider than a set of tools which can automate part of the GRC process

Q) What is FireFighter ? When we are using FireFighter ?

If you have implemented VIRSA/GRC FireFighter is also a normal user ID but having some specific access [Say SU01 or SAP_ALL] as per the needs. User type is kept as "service user' Ex: In your project you are security administrator who does not have access to direct SU01 but you need the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using t-code /n/VIRSA/VFAT and login with that FFID.
While logging you will be prompted to give business reason for access. Everything you perform in that period [Using FFID] gets recorded for auditing.

Q) What is the difference between SoX & SoD ? What kind of work SoX do as well SoD do ? What is VIRSA ?

SoX - refer to Sarbanes OXley act in the earlier 2000+-.Where it impact all US companies either they operated in US or outside (on other countries). Some people think this act is significant, after fall down of big companies such as Enron etc..
SoD - refer to Segregation of Duties. Basically one person cannot have access to the whole process. The task needs to be segregated so that there is check and balance.
VIRSA - is one of third party tools used to check for SoX compliance in a company. Other than this, there are also other product such as APPROVA and SecurInfo. Nowadays VIRSA have been brought by SAP, and rebrand it as GRC (Governance, Risk and Control).


Q) What is the use of Detour path ? How Fork path differs from Detour path ?

If a WF fulfills a certain condition e.g. SOD violation the original WF ends and takes a predefined alternative route (detour). This workflow can contain other stages and additional approvers.
Fork is a way to split up a workflow from a single initiator between sap and non-sap systems

Q) What is the name of background job in FF that is responsible for sending notification and logs to FF id controller ?

/VIRSA/ZVFATBAK or /n/VIRSA/VFATBAK

Q) What is the Rule Set in GRC ?

Collection of rules is nothing but Rule Set. There is a default Rule Set in GRC called Global Rule Set.

Q) How can you assign FireFighter id’s from one FireFighter Admin to another FireFighter Admin if current Admin leaves from organization without told to anybody ?

Take the UserId of the left over the company person and, go to SE16 T-code and, type table name /VIRSA/zffusers and execute.
In the second column enter the UserId of the left over person and execute and it will give the list of assigned FF_ID'S to that user, note that FF_ID'S and run /n/VIRSA/VFAT T-code and, go to maintain FF_ID's table and replace it with the new person User ID.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -11

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) How to find out all actvt in sap ? 

All possible activities (ACTVT) are stored in table TACT , and the valid activities for each authorization object can be found in table TACTZ.

Q) How to remove duplicate roles with different start and end date from user master ? 

Duplicate roles assigned to a user can be removed using PRGN_COMPRESS_TIMES.

Q) What is the main difference between role and profile ?

Role: Collection of Transaction Codes Only (No linked authorization Objects)
Profile: It contains the related Authorization Object, Fields and Values of the transaction codes.

Role is a set of function/activity which is assigned to him based on his business role. Assigning a role to the user does not mean that the user has access to execute those functions. This is ruled by profiles. Profiles are required to give necessary authorization to the users through the respective roles.

Q) What troubleshooting we get these transactions like SU53, ST01, SUIM and ST22 ?

SU53: Will give the screen shot last missing authorization of the details for the user ID
ST01: Some times SU53 will be wrong, using ST01 will perform the trace activity will check for authorization checks for user ID
SUIM: This will used to pull out the authorization reports; usually we will use this T-code by analyzing the out put results of SU53 and ST01 and will be inputs for SUIM to pull out authorization reports

Q) What is the difference between authorization user group and logon group ?

Authorization user group is used for user management purpose. Each user group is managed by certain security administrators. Authorization object S_USER_GRP determines users of which user group can be administered by a certain user admin. Those users who are not assigned to any user group can be administered by all the security user admins.

Logon groups are generally created by SAP Basis Administrators and used for logon load balancing. These are logical groups of users. These users can be assigned to one or more SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to that logon group would by default logon to that particular instance. Hence logon group helps in load balancing.

Q) What steps are checked by the system when an interactive user executes a transaction code ?

Various steps are checked when a user executes a transaction code:

1. First it is checked whether the transaction is a valid transaction code. This is checked in TSTC table. If the tcode does not exists, the system gives the message that the transaction does not exist.
2. If the tcode is a valid tcode, then the system checks whether the tcode is locked or unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked or unlocked.
3. The system then checks if the user has necessary tcode value maintained in authorization object S_TCODE in his/her user buffer. If the authorization object S_TCODE contains the required tcode, then the system checks whether any additional authorization check is assigned to the tcode via SE93. This value can be found on the initial screen of SE93 for that tcode or in TSTCA table.
4. Further authorization check takes place based on the values present in the source code under “Authority-check” statement and the activity performed by the user.

Q) How to extract users list like who didn't login since 3 months. And In 90 Days user locking in which table we will use ?

T-code SUIM: Users -> Click on By Logon Date and password change -> Give * in user and give 90 days in No. days since last logon and check Locked users and then EXECUTE. (OR) RSUSR200 report to get info

Q) What is OSS Connection and System Opening and why we have to open these ? 

OSS means Online Service System where SAP is going to give Service to R/3 Users.

Q) What will have in one single role and how many profiles will be in one SAP CUA system ? 

Single role will contain T-codes, Reports and URL's, Profiles and Users. Max profiles are 312.

Q) What is the difference between SE16 and SE16N  ?

SE16 - SAPLSETB - Data Browser
SE16N - RK_SE16N - General Table Display

SE16: SE16 is a data browse and it is used to view the contents of the table and we cannot change or append new fields to the existing structure of the table as we cannot view the structure level display using the SE16.

SE16N: The transaction code SE16N (general table display) is an improved version of the old data browser (SE16). It has been around for some time, but is not widely known amongst Consultants and end users of SAP. It looks a bit different to the old “data browser” functionality (SE16).
** Once you have entered your table name, type "&SAP_EDIT" without the quotation marks into the transaction code. This enables editing functionality on SE16N and allows you to make table changes. This allows you to access both configuration and data tables which may be otherwise locked in a production environment.

** Whilst this may appear to be a short cut and allow you to access a back door which is normally shut, this hidden feature should be used with caution in any SAP client - especially a live or production system.

New Features of SE16N:
** The new transaction has a number of distinct advantages over SE16.
** You no longer have a maximum of 40 fields to select in the output.
** There are fewer steps involved in executing a number of functions, whether it be outputting the results, maintaining the values in a table etc.
** Exporting the data into Excel is far easier and quicker
** ALV functionality is available as standard
** The user is not restricted by having a maximum width of 1023 saved as a default in the user settings.

Limitations of SE16N:
**You can only output one table at a time. If you wish to output more than one table you can use the available reporting tools or the QuickViewer (transaction code SQVI) functionality within SAP.

Q)  How many transaction codes can be assigned to a role ?

A maximum of around 14000 transaction codes can be assigned to a role.


Q)  What is the difference between ECC security and RAR security when GRC is used, when similar functionality can be performed SAP R3 level (ECC) ?

ECC and RAR are different.ECC is a system whereas RAR is a tool.
ECC security involves security data, t-code access, report access and maintaining the authorizations.

RAR (Risk analysis and Remediation) is a tool that is used for analysis of risk analysis and its remediation as name suggests. This tool determines all potential risks that arise if a t-Code object/role/auth is assigned to a user. Also this tool helps to remediate that risk using mitigation technique.

Simply we can say one thing like In ECC system you can’t find any risk while assigning the roles.

But in RAR tool it will check the RISK of that particular assignment and if risk is their then we can mitigate and simulate to that risk I mean it’s purely for SOD (segregation of duties)

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -10

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) How to get ticket from end user ? Which ticketing tool you are using ?

Generally tickets are raised by the end users or clients.
Each organization having a separate tool box for the purpose of tickets and then the team leader allot the tickets to corresponding person through mail.
Ticketing Tools: HP open view, remedy, mail (Microsoft Outlook), Lotus Notes, Magic
HPSD- HP service Desk. First Users send mails to 1st level support stating their issue; they then create service call and assign them to respective Team. Unique no is provided which is call service call no and it's used as reference no in future.

Q) What is difference between ECC 4.7, ECC 5 and ECC 6 from SAP Security point of view ?

SAP ECC 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also included, here we can have both R/3 security for ABAP stack and JAVA stack security which includes in portal concept (Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the ECC 4.7.

Q) What is Role Matrix ?

Role Matrix is nothing but a column we can maintain t-codes
            z_singlerole   z_dervir
---------------------------------------
PFCG                    x  
SU01                                         x
VA01                     x
VK11                                        x
       See based on business process approvers we can assign T-codes to a particular roles.

Q) What are the steps to create a user in SAP ?

Following are the steps to create user in SAP:

1. Logon to the SAP system and execute transaction code SU01. (Path to SU01 via user menu : Tools -> Administration -> User Maintenance -> Users
2. Give a username in “User” field and click create. In the next screen, there are various tabs like Address, Defaults, Parameters, Roles, Profiles etc.
3. In the “Address” tab, fill the necessary fields (Last Name is mandatory)
4. In the “Logon data” tab, select the “User Type” and fill “Initial Password” (Initial Password is mandatory in all cases except if the “User Type” selected is “Reference”.
5. Similarly fill other information in rest of the tabs viz. “Defaults”, “Parameters”, “Systems”, “Roles”, “Profiles” etc.
6. Now click on Save. User is created.

Q) What are different types of users in SAP System ?

Different user types are:
(1) Dialog
(2) Service
(3) System
(4) Communication
(5) Reference

Q) What mandatory fields need to be filled while creating a user in SAP ?

Last name is mandatory for creating any user type. Initial password needs to be given for all user types except “Reference users“.

Q) Which table contains the list of developers (development users) including registered Developer access keys ?

DEVACCESS table contains the list of developers and their developer access keys.

Q) What does table TSTCP contain ?

Table TSTCP contains information related to transactions which are parameterized transactions for a tables or views.


Q) How can we Schedule and administrating Background jobs ?

Scheduling and administrating of background jobs can be done by using T-codes SM36 and SM37


Q) I have deleted single role from composite role now I want to find out the changes in composite role without using SUIM. Is there any other possibility to get ?

 Yes, it is possible from role screen itself.
Go to menu tab
Go to utilities--->change documents .you can see from Agr_AGrs table

Q) How many authorizations fit into a profile ?

A maximum of 150 authorizations fit into a profile. If the number of authorizations exceeds this value, the profile generator automatically creates one more profile for the role.

Q) How many profiles can be assigned to any user master record ? 

Maximum number of profiles that can be assigned to any user master record is 312. Table USR04 contains the profiles assigned to users. The field PROFS in USR04 table is used for saving the change flag and the name of the profiles assigned to the user. The change flags are – C which means “User was created” and M which means “User was changed”. The field PROFS is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -9

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS




Q) How do we know who made changes to Table data and when ?

If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for the related table.

Q) What is a composite role ?

A composite role is like a container which contains several single roles. They do not contain authorization data and the authorization needs to be maintained in each role of the composite role. A composite role cannot be added to a composite role. The users assigned to a composite role are automatically assigned the corresponding single roles.

Q) What is the difference between USOBX_C and USOBT_C ?

USOBX_C and USOBT_C are tables which are used for SU24 transaction code.

The table USOBX_C defines the status of authorization checks for authorization objects, i.e. whether the “check indicator” is set to yes or no. It also defines the proposal status, i.e. whether the authorization check values are being maintained in SU24 or not.

The table USOBT_C defines the “values” which are maintained for check-maintained authorization objects.

Q) How can we convert Authorization Field to Org Field ?

The report PFCG_ORGFIELD_CREATE is used for converting an Authorization Field to Org Level Field. It can be executed using SA38/SE38 tcode.

There is a bit of caution involved here. Make sure that whatever change related to this conversion is made is done in the initial stage of security role design/system setup. In case this task is performed at a later stage, there is a risk that this will impact lots of existing roles. All those roles would require analysis and authorization data will have to be adjusted.

NOTE : Authorization fields TCD (Tcode) and ACTVT (Activity) cannot be converted to org level fields.

Q) How do we find all activities in SAP ?

All Activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16 tcode.

Q) What important authorization objects are required to create and maintain user master records ?

Following are some important authorization objects which are required to create and maintain user master records:
• S_USER_GRP: User Master Maintenance: Assign user groups
• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q) Which table is used to store illegal passwords ?

Table USR40 is used to store illegal passwords. It can be used to store patterns of words which cannot be used as passwords.

Q) Explain the concept of “Status Text for Authorizations” – Standard, Changed, Maintained and Manual.

• Standard – It means that all values in authorization field of an authorization instance is unchanged from the SAP default value (i.e. the values which are getting pulled from SU24)
• Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value. Other fields already having some value have not been touched.
• Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
• Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.

Q) What is the difference between Role and Profile ?

A Role is like a container which contains authorization objects, transaction codes etc. A profile contains authorizations. When a role is generated using PFCG, a profile is generated which contains authorizations (instances of authorization objects).

Q) What is PFCG_TIME_DEPENDENCY ?

PFCG_TIME_DEPENDENCY is a report which is used for user master comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up the expired profiles from user-master record. Role name still remains in the SU01 tab of the user. Transaction code PFUD can also be used to directly execute this report.

Q) What are the different tabs in PFCG ?

Following are some of the important tabs in PFCG:

• Description - We define the role name and role text. We also have a text description option at the bottom where we can provide other details related to the role. Those details can be the ticket no through which the role was created, the various changes (addition/removal of tcodes, authorization objects etc) and the date when those changes took place and the user who performed that task etc. It is a good practice to make use of this space as it helps in identifying the reasons for changes.
• Menu - For designing user menus like for addition of tcodes etc.
• Authorizations - For maintenance of Authorization data. Also for generating authorization profile.
• User – For assigning users to role and for adjusting user master Records.

Q) What does user compare do ?

When a role is used for generating authorization profile, then the user master record needs to be compared so that the generated authorization profile can be entered in the user master record. This comparison is done using tcode PFUD or by scheduling the report PFCG_TIME_DEPENDENCY.

Q) What is user buffer ?
A user buffer contains all authorizations of a user. Each user has his own user buffer and it can be displayed by executing tcode SU56. The authorization check fails when the user does not have necessary authorization in his user buffer or if the user buffer contains too many entries and has overflowed. The number of entries in user buffer is controlled using profile parameter ”Auth/auth_number_in_userbuffer“.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -8

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS


Q) What are various user types ?

Dialog user 'A'
Individual system access (personalized) Logon with SAPGUI is possible. The user is therefore interaction-capable with the SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is checked. Usage: For individual human users (also Internet users)

System user 'B'
System-dependent and system-internal operations Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only an administrator user can change the password. Multiple logon is permitted. Usage: Internal RFC, background processing, external RFC (for example, ALE, workflow, TMS, CUA)

Communication user 'C'
Individual system access (personalized) Logon with SAPGUI is not possible. The user is therefore
Not interaction-capable with the SAPGUI. Expired or initial passwords are checked but the conversion of the password change requirement that applies in principle to all users depends on the caller (interactive/not interactive). (*) Users have the option of changing their own passwords.
Usage: external RFC (individual human users)

Service user 'S'
Shared system access (anonymous) Logon with SAPGUI is possible. The user is therefore
Interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only a user administrator can change the password. Multiple logon is permitted. Usage: Anonymous system access (for example, public Web services)

Reference user 'L'
Authorization enhancement No logon possible. Reference users are used for authorization assignment to other users. Usage: Internet users with identical authorizations

Q) What is the difference between Template role & Derive role ? 

Template role is nothing but a default role provided by SAP. This template role might be a single or composite or derived role. Template roles are not generated profiles or authorizations nor assigned to users and org levels are not maintained.
Derived role is nothing but a single role and it’s derived from a Master role and can restrict org levels and can assign them to users.

Q) What is the advantage of CUA from a layman/manager point of view ?

CUA - Central User Administration
Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems (where the user id is requested) Helps in avoiding logging to each individual systems

Q) What is the procedure for deleting a role ?

You can't delete the role in Production System.
First you have to delete the role from development system.
In DEV system  Go to PFCG  give the role name which one you want to delete, create a transport request, don’t release. After creating transport request. Delete the role from PFCG in DEV system. Transport the request number to Testing, Production system. Roles delete from there also, after transport the request with success.
1) Create transport request to the role but don’t release
2) Delete the role from the system
3) Release the transport request.

Q) If we delete a Role can we transport it, if yes then how ?

Yes, add that role to a transport request first and then delete it from dev system. After deletion transport it to QA and prod system

Q) In creating a role what should we write over there, and what does your company follows ?

Description of role defines, the role related activity in short. Just seeing the description of the role, one can easily know the role details, like Role belongs to which SAP module(MM/PP/FICO) The Company code/Org level values Restricted values can also be mentioned there Activity performed after assigning that particular role.

Q) Can you tell me some of the password related parameters ?

Password related parameters are:
login/min_password_lng (Defines minimum lengh for pwd)
login/min_password_digits
login/password_expiration_time, these are the main parameters - which can be maintained via t-code RZ10

Q) What is the use of CUA ?

CUA: Central User Administration
1. Using CUA, U can reset the password globally (Means: in single shot u can reset the password for all child systems or individual system also reset the password through CUA)
2. No password reset tag in individual systems
3. Using CUA, you can unlock and lock the users.
4. Using CUA, you can assign the roles to particular system
5. Using CUA, you can add systems to particular user

Q) What are the types of requests ? And which we create for transportation ?

Generally there are two types of transport request.
1) Workbench Request: Client independent, used generally in CUA where change made are transported to cross client tables.
2) Customizing Request: Client dependent.

Q) I want to reset the passwords of 100 users. How do you do it ?

Mass Password resetting is the easiest task. Login into LSMW t-code. Create a project, which is very easy. Record a batch input session. And run it. It hardly takes 2 mins. OR SECATT script

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -7

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS



Q) Is it possible to assign two roles with different validity period to a user in one shot through GRC ? If yes, how

If you are talking about GRC Access enforcer tool then there is option of validity period for role while creating access enforcer request. When you go to button "Select roles" and when you search and add role in Role Tab you can see column Validity period which you can change. And you can add multiple roles to one user by just performing "Add" role activity. I hope this is what you are asking for.

Q) How to get the E-Mail address for 100 users at a time ?

SECATT script / to get email address of the no. of users go to SE16  ADR6  give the person number or Address number.
To get the Address number or Person number go to the tableUSR21 extracts the data of the users.

Q) While Creating BW roles what are the Authorization Objects we will use ?

 s_rs_auth, s_rs_icube, s_rs_odso, s_rs_mpro, s_rs_ipro, s_rs_admwb (for BI consultants & admins) and s_rs_rsec (for BI Security consultant)

Q) When we changed the password for more users(for example:100 users) 

a) At the time of implementation we create users & PWD
b) Depend on business user’s requests
c) If locked users needed to unlock and make them use then we generate new PWDs.
d) Monthly or quarterly basis we send a message to end-users to change their PWDs.
e) Users got locked due to incorrect log on.
f) Users locked with the expiration of their user ids.

Q) (A) Where the password will be stored 
        (B) from where you can Re-Collect the password and 
        (C) how will you communicate the password to all users at a time.

A) PWD information will be stored in table USR02.
B) There is NO re-collect password process in SAP again user needs to send request to security team to re-issue new PWD
C) We can do it through SECATT script.

Q) What is Virsa ? Once you entered in to the screen what it will perform ? 

Before GRC comes into picture there were other tools which are running in the market in order to do analysis. Those are VIRSA and APPROVA. Both are an INDIAN Companies and VIRSA developed Tools like Firefighter, Compliance Calibrator, Access Enforcer and Role expert to do risk analysis but In the Year 2006 VIRSA took over by SAP and it changed names as Superuser Privilege Management (SPM), Risk Analysis and Remediation (RAR), Compliant User Provisioning CUP) and Enterprise Role Management (ERM) respectively.
Virsa FireFighter for SAP: enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access & tracks and logs every activity the super-user performs using that temporary ID.

Q) What is the use of SU24 & SM24 ? 

There is no SM24 t-code in SAP. Coming to SU24, here we can maintain the assignment of Authorization Objects by entering into particular t-code and we can check the relation between the t-code and concern authorization objects and we can make changes according to business needs. It means maintain Authorizations and its fields and field values.


Q) What is Dialog users, Batch users and Communicate users. What is the use with Communicate user ? 

Dialog user is used by an individual to do all kinds of log on. Batch user is used for Background processing and communication within the system. Communicate user is used for external RFC calls. (Across the systems we can connect)

Q) Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests ? 

We cannot add a composite role into another composite role but we can add multiple derived roles into one composite role.

Q)    In Transport what type of Request we will use. Why don't we use workbench request in transport ?

Most of the time we do transport workbench and customized requests. 95% we do customized transport as we do settings, configurations, creation etc at DEV system and transport them to QUA or PRD systems.
Settings, configurations etc are done by BASIS, Security and Functional consultants then those will be treated as Customized and if ABAPers do programs and packages etc and transport them then those will be treated as workbench.

Q)    When we added Authorization Object in Template role, at the same time what will be happen in Derived role ? 

Template Roles will be provided by default by SAP while we do implementation (install SAP).when we want to have template role we should not use that role directly, instead of that we can go for COPY option and we can copy it and do customize according to our business needs.

Q) How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check ?

T-code RZ10 to check Profile Parameter & T-code STMS we can check the Transport error logs. Click on Import Overview (Truck icon) in STMS screen and in next screen we have options like: Import Monitor, Import Tracking and Import History.... these will show the transport issues.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -6

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS



Q) If we add org level elements in a master role will it reflect in child role and how AGR_1252 will act as a barrier ?

Org level elements does not effect in child roles.AGR_1252 show the information of Org.values related to role.

Q) How to do mass user to role assignment using SECATT, will u use SU01 or SU10 ? Explain why you will use SU10 not SU01 ?

We can assign role to mass users using SU10. We can do the same with SECATT.

Q) Can SU10 can be used for mass password reset ? Why not ?

Password reset option not available in SU10 for mass user maintenance

Q) If you want to reset the password for say 100 users in Production how will you do ?

We can use SAP GUI scripts or SECATT to do it.

Q) Explain Steps 2A and 2B in SU25 ? 

2A -->This compares the Profile Generator data from the previous release with the data for the current release. New default values are written in the customer tables for the Profile Generator. You only need to perform a manual adjustment later (in step 2B) for transactions in which you changed the settings for check indicators and field values. You can also display a list of the roles to be checked (step 2C).

2B-->If you have made changes to the check indicators or field values in transaction “SU24”, you can compare these with the new SAP defaults.
You can see the values delivered by SAP and the values that you changed next to each other, and can make an adjustment, if desired. You can assign the check indicators and field values by double-clicking the relevant line.

Q) What is the difference between Derived Role & Copy Role ? Can't we just do a copy instead of deriving it when both have the same characteristics or inputs or functions ?

Derived role: Derived role inherits all properties from Master role. It means all authorizations. If u made any changes in master role it will reflect in child role but not vice versa. We can't add any authorizations in derived role. But we can maintain org levels.

Copy role: Copying role means creating a role same as from existing role. It’s name should be changed. There is no relation between existing role and copied role.

Q) What is the difference between PFCG, PFCG_TIME_DEPENDENCY & PFUD ?

PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass user comparison automatically

Q) What does the Profile Generator do ?

We can create roles, transport, copy, download, modifications, and these entire things done from PFCG t-Code.

Q) What is the main purpose of Parameters, Groups & Personalization Tabs ?

parameters: when ever user want some defaults values when ever he/she execute the t-code we can maintain some pid's by taking help of abapers.
Group: based on user roles and responsibilities security admin can assign to particular    group.
Personalization: this data provides by sap itself based on t-codes which are maintained at menu tab.

Q)   Purpose of Miniapps in PFCG ?

Using mini apps we can add some third party functionality

Q) What happens to change documents when they are transported to the production system ?

Change documents cannot be displayed in transaction 'SUIM' after they are transported to the production system because we do not have the 'before input' method for the transport. This means that if changes are made, the 'USR10' table is filled with the current values and writes the old values to the 'USH10' table beforehand.

The difference between both tables is then calculated and the value for the change documents is determined as a result. However, this does not work when change documents are transported to the production system. The 'USR10' table is automatically filled with the current values for the transport and there is no option for filling the 'USH10' table in advance (for the history) because we do not have a 'before input' method to fill the 'USH10' table in advance for the transport.

Q) What do you know about LSMW ?

LSMW is used for creating large number of user at a time.

Q) Difference between SU22 and SU24 ?

SU22: is maintained standard t-codes and their standard authorization object (USOBX and USOBT).
SU24: here we can maintain customer related t-code and their authorization objects (USOBX_C and USOBT_C).

Q) What is the landscape of GRC ?

GRC landscape is development and production.

Q) What is the difference between Template role & Derive role ?

Template role: it is provided by sap itself.
Derived role: a role which is derived from a master role it can inherit the menu structure t-codes and all but it can’t inherit the organization level, here we can maintain organization levels only.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -5

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS



Q) What is SOD (Segregation of Duties) ?

SOD stands for segregation of duties. It is a primary internal control to prevent the risk, identify a problem and take corrective action. It is achieved by assuring that no single user has control over all phases of business transactions.
E.G.: the staff who creates a purchase order must not approve the same; there must be a different person to approve that.

Q) how we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS

We can restrict authorization groups via object S_TABU_DIS, first we need to create a authorization group in SE54 then assign this authorization group in a role by using the object: S_TABU_DIS.

Q) How to create new authorization object ?

1. To create the authorization object, choose the SU21 transaction.
2. First double-click an object class to select it.
3. Provide the name of the object and relevant text
4. Add the fields that should be included in the new authorization object.
5. Hit Save.. once you click on save it'll ask for package details (select the relevant package from the drop down list) and save again.
6. New auth objected is created now.
7. Click on permitted activities to select the activities and save the changes.

Q) What is the difference between Parent role and Composite role ?

Composite role is a collection of single roles.

Where Parent role concept comes in Derived role. Where one role is derived from other role (Like inheritance. Whatever the changes you made to parent role will automatically applied to derived role also

Q) How can i assign a same role to 200 users ?

You can do using PFCG- >  enter the role -> change -> go to users tab -> paste the users -> click on user comparison ->  complete comparison -> Save the role - it's done or

One can also use "Authorization Data" functionality in transaction SU10 to complete this task.

Q) Difference between USOBT_C and USOBX_C ?

USOBX_C defines which authorization checks are to be performed within a transaction and which are not. This table also determines which authorization checks are maintained in the Profile Generator.

USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Q) What are USOBT and USOBX tables for ?
SAP delivers the tables USOBX and USOBT. These tables are filled with default values and are used for the initial fill of the customer tables USOBX_C and USOBT_C.

Q) Difference between USOBT and USOBT_C ? 

USOBT is SAP delivered table where as USOBT_C is customer table. After the initial fill, you can modify the customer tables, and therefore the behavior of the Profile Generator, if required.

Q) How you create custom t-codes ? 

Yes we can create custom t-code in SE93.

Q) Difference between customizing request and workbench request ?

Customizing request is client dependent. Work bench request is client independent.

Q) To transport SU24 setting which is used is it customizing or workbench request ?

For transporting SU24 changes we need to have a workbench request as it is client independent settings.

Q) What does the different color light denote in profile generator ?

There are three colors (like traffic lights) in profile generator:

Red – It means that some organizational value has not been maintained in org field in profile generator.
Yellow – It means that there are some or all fields in certain authorization instances which are blank (not maintained)
Green – It means that all the authorization fields are maintained (values are assigned).

Q) Can a composite role be assigned to another composite role ? 

No. A composite role cannot be assigned to another composite role. Single roles are assigned to composite roles.

Q) What does the PFCG_TIME_DEPENDENCY clean up ?

The ‘PFCG_TIME_DEPENDENCY’ background report cleans up the profiles (that is, it does not clean up the roles in the system). Alternatively, transaction code ‘PFUD’ may also be used for this purpose.

Q) How to prevent custom objects from getting added to SAP_ALL profile ? 

Go to table PRGN_CUST and set the following parameter: ADD_ALL_CUST_OBJECTS with value N.
Regenerate the SAP_ALL profile with report RSUSR406 to have the customer object to be removed fromSAP_ALL. See SAP Note 410424 for more info.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -4

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS


1. Explain me about your SAP Career ?

Elaborate about your complete SAP experience and yes be true with them.

2. Tell me your daily monitoring jobs and most of them you worked on ?

As a part of my daily job being a SAP Security consultant i have to take care of tickets monitoring and assigning them within the team. I have to take care of critical incidents and emphasize them on high priority for their faster resolution. I have to troubleshoot different authorization issues that come across in daily work with the users.

3. Which version of SAP are you working on ? Is it a java stack or ABAP stack ?

You have to check this with your systems.

4. Tell me about derived role ?

Derived roles. To restrict the user access based on organizational level values. Derived role will be inherited by master role and inherit all the properties except org level values.

5. What is the main difference between single role and a derived role ?

Main difference--we can add/delete the T-codes for the single roles but we can’t do it for the derived roles.

6. Does S_TABU_DIS org level values in a master role gets reflected in the child role ?

If we do the adjusted derived role in the master role while updating the values in the master role than values will be reflected in the child roles.

7. Tell me the steps to configure CUA ?

Steps to Set Up the CUA
1. Create Administrator
2. Specify Logical systems
3. Assign logical systems to client
4. Create system users
5. Create RFC destinations
6. Create CUA
7. Set field distributor parameters
8. Synchronization of company addresses
9. Transfer Users

8. Is RAR a java stack or Abap Stack ?

RAR is Java stack. It was ABAP when it was called as Complance Calibrator.

9. What is the report which states the critical T-codes ?

RSUSR005

10. What is the T-code to get into RAR from R/3 ?

/virsa/ZVRAT

11. Explain about SPM ?

SPM can be used to maintain and monitor the super user access in an SAP system. This enables the super-users to perform emergency activities and critical transactions within a completely auditable environment. The logs of the SPM user IDs helps auditors in easily tracing the critical transactions that have been performed by the Business users

12. What is the difference between Execution and Simulation in GRC RAR ?

Simulation: It will simulate the existing access with additional access before assigning the roles and provides the SOD's report after assigning the roles
Execution: will execute the user existing access and provides the report SOD reports for user existing access. It will be 2 option ignore mitigation yes and ignore mitigation no.

13. Difference between User Group in “Logon Data” and “Groups” tab in SU01 ?

The difference between Logon data group you can map one user with only one group. But in groups you can map one user with multiple groups.

The group that are showing in logon data is identification of user which group he is belongs to and the group tab is to add that user in multiple groups...like ex:- If i am a basis employee we will group him at logon tab... And we want to add this guy into more groups we will add those at group tab......

14. Security admin kept trace on a user. But while analyzing it is showing that "zero records" found. Then what to do ?

In General, the production system will be running on multiple application servers, check whether the user and the security admin are logged in to the same application server or not? Through the transaction code SM51.

Before switch on the trace please take care of below things.

1. User should log on to same server.
2. Go to SM04 / Al08 to check the server details which users logged in and confirm that both should logged into same server
3. Select the appropriate option ex: authorization kernel check. So that it will check for authorization which users going to run...

15. What is the difference between SU24, SU22, and SU21 ?

SU24: Authorization check under Transaction. SU24 can access customized tables USOBX_C and USOBT_C

SU22: Authorization objects in transactions. SU22 can access standard tables USOBX and USOBT

SU21: Maintain authorization Object

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -3

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) Where do all possible activities are stored?
A) In the table TACT

Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ

Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.

Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.

Q) Is a role without Auth-profile considered as complete or not?
A) No

Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role

Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.

Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 – 99 = Activities
A1 – VF = 69

Q) What is the default authorization object which is used to check for any role?
A) S_TCODE
Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.

Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
   Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Q) Unlock a user or track why the user is being locked?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
   Go to SUIM -> Change docs for user -> Enter the user name and execute

Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.

Q) What is single sign-on?
  1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
  2) We can even logon through internet using SSO.
  3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
  4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

Q) What are the Steps to Configure CUA?
  CUA works with RFC’s steps to config CUA.
  1) Create logical systems to all the clients (using BD54/SALE)
  2) Attach logical system to clients using SCC4
  3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
  4) Create RFCS to child systems from central and central to child using SM59
  5) Log on to central system using SCUA to config CUA (Central User Admin)
  6) Enter the model view and enter all child system RFC’s

Q) If all the users are locked mistakenly, how do we connect to SAP system?
A) Follow the steps
   Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
   Select * from <Application Server name>.USR02 where bname=’SAP*’;
   Delete from <Application Server name>.USR02 where bname=’SAP*’;
   Step 2) Then Login using SAP* user
   Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Q) There is one derived role, if i copy the role of derived role will the parent or master role will be the same for the new which is derived from the derived role, if so why if not why ?

yes, if I copy the role from a derived role then that parent role of that derived role will become as a parent role to the new role which we have derived from the other derived role because for that particular derived role will get all the transactions and authorizations from the parent role only so, if we copy a role then all the transaction with authorization copied from other role from where we are copying that might be parent role/derived role.

Q) What is the organizational level ?

It's a customer specific enterprise structures which are subjected to authorization check vary by module. It maintains:
Company code
Controlling Area
Plant
Purchase Order and so on....

Q) How many composite roles can be assigned to a user ?

Ideally there is no limit on number of composite roles/single roles that can be assigned to a user. But keep this in mind that user buffer can hold only 312 profiles in it for a user. Hence there is no use of assigning roles more than 312 profiles to a user. For extending the authorization more than 312 profiles use reference user.

SAP_ALL is said to be good example for composite role so is there any single role limit in SAP_ALL. So there is no limit for adding single roles in composite role...

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 6

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :-


Support :-

Q) What are the steps involved in stopping SAP system?
A) Before stopping SAP system we need to check the status of the following
• Check if there are any logged on users. Use Transaction Code – SM04
• Check if there are any Background process is to define – SM36
• Check if there are any Background processing is going on. Use TC – SM37
• Check if there is any Batch input session. Use TC – SM35
• Check if there are any update processes running. Use TC – SM13

Client Copy :-

Q) Why do we need to perform a test run?
A) Test run determines which tables are to be changed.

Q) What is the amount of storage space a client will occupy?
A) client without application data needs approximately 150-200 MB of storage space in a DB

Q) Why do we need to do client copy?
A) To create new clients.

Q) Do we need to transport clients between systems (or) what is the procedure for copying clients between systems?
A) We no longer require to transport clients instead we make a remote client copy.

Q) Why should we not transport the client data?
A) this is explained with the help of a scenario. In target system, we have set up clients whose data must not be affected. The cross client data must not be imported into the system from outside, since the cross client data overwrites existing data so that customizing data of other clients in the target system no longer effects.

Q) what default user has all the authorizations?
A) SAP*. This is the reason for locking this user in different environments.

Spool :-

Q) How to identify how many spool work process are setup in a particular application server?
A) Trans-Code SM51 and select the application server.
   Go to SM50 and count the number of work process with SPO

Q) How many spool processes are configured in out entire SAP system?
A) SM66 and check for SPO work process. In select process by choosing Type = Spool and Status = Wait

Q) Can we change number of spool work process by operation mode switching?
A) No. Only background and dialog work process can be modified.

Q) How to identify how many spool servers are available in your SAP system?
A) SM51 or SM66 and check for application server with at least one spool workprocess.

Q) How to make setting for an individual SAP user so that an output request is not created immediately for a spool request?
A) SU3 go to Default tab and ensure that output immediately option is not checked.

Q) How to find which printer is defined at OS level of your server?
A) Go to start -> Settings -> Printers (Revisit)

Transport :-

Q) What is a transport group?
A) SAP systems that share a common transport directory tree form a transport group.

Q) What is transport domain controller?
A) R/3 system with the reference configuration is called as the transaction domain controller.

Q) What is transport domain?
A) All R/3 systems that are planned to manage centrally using TMS form a transport domain.

Q) What are the two editor modes in which we can configure the transport routes?
A)     1. Graphical Editor
         2. Hierarchical Editor   

Q) What are the various configuration methods available in STMS?
A)     1. Single system configuration
         2. Development and Production systems
         3. Three systems in a group

Q) What is a standard transport layer?
A) This describes the transport route that the data from the development systems follows.

Q) What is SAP transport layer?
A) It is a predefined transport layer for DEV classes of SAP standard objects

Q) What are the three approval steps you need to follow as a part of approval procedure in QAS?
A)     1. To be approved by system administrator
         2. To be approved by department
         3. To be approved by request owner

Q) What are the various qualifier option or what are the various import options?
A) There are six import options
    1. Leave transport request in queue for later import
    2. Import transport request again
    3. Overwrite originals
    4. Overwrite objects in unconfirmed repairs
    5. Ignore unpermitted transport type
    6. Ignore predecessor relations   

Sap Database Notes -4

Sap Database Notes 4:-

BR Tools:
1. Login to ORA<SID> using putty
2. Type BRTOOLS
3. There are totally 9 option in BR tools
a. Select Instant management, it is option 1
b. In Database instance management select option 2 to shutdown the database.
c. Type ‘C’ and click enter to continue
d. In Database instance shutdown main menu select option 1 shutdown DB.
e. Under options for shutting down the DB instance we have to choose option 1, that is close mode(Default mode is immediate)
f. Select option 1 and enter string value for ‘mode’ (Immediate|normal|transcations|abort).
Note: if the users are logged in to the SAP system then I cannot use immediate, normal, transactional modes, using abort mode will forcefully shutdown and will result to data loss hence never use this option so to be on the safest side always shutdown using normal mode.

Alter DB Instance (Switching off archive mode):
1. Shut down SAP -> Stop SAP [SID<adm>]
2. Log on to ORA<SID> user and start BR tools
3. In BR tools -> Select option 1 (Instance Management)
4. Start up database -> Select option 1
5. Alter DB instance -> Option 3
6. Enter ‘c’ to continue
7. Enter ‘c’ to continue
8. Select option 4 for set non archive mode
9. Enter ‘c ‘to continue and select option 5 to show instance status
Note: while switching to archive mode and non-archive mode, it will shutdown the DB instance first and then starts the DB instance. In each of these cases the time stamp is recorded that is data and time. Once the DB is up and running always check the status before performing any action.

(Q) If SAP started and I am trying to switch to non-archive mode what will happen.
(A) It will show an error showing that SAP instance is running. Please showdown first or use force option.

(Q) If SAP is running and I try to shutdown the DB using BR tools what will happen.
(A) It through an error saying that SAP is running please shutdown the SAP first or force option and then continue.

Table space administration:
1. Oracle stores data in table spaces, each table space consists of one or more data files.
2. Data files are plain files stored on local system
3. Oracle has 4 segment types
a. Data -> This segment contains table data in rows
b. Index -> Each table has one primary index and ‘n’ number of secondary indexes (optional). This index is used for faster access to table data and to enforce unique constrains.
c. Temp Segment -> This segment is used for sorts and to create indexes.
d. Roll back/undo segment -> this segment is used to provide read consistency that is ability to roll back changed to tables for recovery.
4. To meet the demand of large DB, DB designers creates partition tables and indexes.
5. An index segment in oracle DB used in SAP holds either all data for take that is not partitioned or all data for a partition of partitioned table.

Common table spaces:
1. System -> Oracle data dictionary
2. PSAP ROLL -> Roll back segment
Note: From WAS 6.1 version we have SAP undo as roll back segment.
3. PSAP TEMP -> Temporary segment.

(Q) If table space is full then what are the possibility to extend the table spaces ?
(A) Option 1: Add another data file to table space
           2: Existing data file can be manually resized
           3: Properties of existing data file can be changed to auto extendable

(Q) What id the formula to increase the data files size ?
(A) Data file size = Expected DB/100

(Q) How many number of data files will be there by default ?
(A) Default there are 100 data files

(Q) Expected DB size and Data file size
    Expected DB Size     Data File Size
    Up to 200Gb               2Gb
    200 to 400Gb              4Gb
    400 to 800Gb             8Gb
    Greater than 800Gb    60Gb

(Q) What is the error related with table flow ?
(A) For table ORA1653, ORA1654 for indexes.

(Q) What will happen if max extents are reached ?
(A) ORA1533 is the error forms extent reached. If max extent is reaching it limits, then increase next extent. When extents are dripped they are marked as free and their blocks can be used by new extents, but adjacent blocks are not combined. The DBA must use “COALEXE” free extent into one large extent. There are two options for “COALEXE” extent.
     1. BRCONNECT –f check -> COALEXE free extent automatically
    2. BRSPACE –f check -> COALEXE free extent use locally managed table spaces.

To solve above problem with extent we must use locally managed table spaces.
    Segment Sizes           Next segment Size    Max.no.of Extent
    Less than 1Mb          Less than 64Mb               16
    1 to 64Mb                1Mb                                 63
    64Mb to 1Gb           8Mb                                 126
    Greater than 1Gb     64Mb                                Unlimited

Advantage of LMTS (locally managed table spaces) is “ORA1533” error eill no longer occur. The only disadvantage of LMTS is, always it checks for used and free space.

Increase the Table space:
1. Log on to ORA<SID> and enter into BR tools.
2. Space management (option 2)
3. Extent table space (option 1)
4. Enter ‘c’ to continue
5. Enter ‘c’ to continue
It will give “Table space extension main menu”
Note: First use option 2 to show the table spaces and percentage full and make a note of a table space which is 80% and above fill and then add a data file as per the specification using the option 1 that is “extent table space”.
6. Extend table space (option 1)
7. This will list all table spaces and percentage used
Example Table: “PSAPR3700”
8. Select the table space that is ‘pos’ position
9. Enter 2 to select above example table
Note: options for extension of table space
a. Last added file name
b. Last added file size in MB
c. New file to be added
d. Raw disk/link target
e. Size of the new file in MB
f. File auto extend mode = YES
g. Max file size in MB = [10000]
h. File increment size in MB = [20]
i. SQL Command = [alter table space name]

Note: the last added data file name and new file to be added will show the exact location where the data file is residing that is Oracle/<sid>/sapdata 1 to n/

10. Enter ‘c’ to continue
11. Enter option 5 to change the size of new file in MB
12. Press ‘c’ to continue
13. Select ‘NO’ to continue with the current data file addition.
14. Select ‘YES’ to add a new data file to the current table or add new data file to a new table.

Note: this action will update the time stamp in co-file that is, it created a copy of co-file in the location /oracle/<SID>/SAPREORA|[CNTRL<SID>.old]
Once co-file is created, extending of table space is done, one successfully completed it switches to next online redo log file for database instance and finally creates a copy of co-file with new time stamp that is CMTRL<SID>.news

Top 10 Oracle errors:
1. ORA1631 and ORA1632 -> Max extent full
2. ORA1653 -> Table space full
3. ORA1654 -> Index full
4. ORA1113 -> When backup is aborted
5. ORA1144 -> When back is shutdown immediately
6. ORA1578 -> Data block corrupted
7. ORA0255 -> Database struck
8. ORA1555 -> Buffer mode is OFF
9. ORA272 and ORA255 -> Archive struck
10. ORA600 -> Hardware Failure

Note: option 4 and 5 are also called as missing end backup.

Changing Oracle Parameters

Q) Create server parameter file from init<sid>.ora
A) -> Login to oracle user (ora<sid>)

Sap Database Notes -3

Sap Database Notes 3:-

TAPE MANAGEMENT:-

(1) Each and every tape used for Backup, i.e. BRBACKUP and BRARCHIVE needs to be initialized.
(2) During tape Initializing SAP specific label is written on label as First file (Tape.hdro) containing the tape name.
(3) BRTOOLS-> Backup-> Dbcopy-> Additional Functions-> Init of BRBACKUP tape Volume or Init of BRARCHIVE tape volumes.
The command to start the initialization is BRBACKUP or BRARCHIVE or –I/Initialize.

(Q) What are the contents of tape label after a tape is Initialized ?
(A) (i) Tape Name
    (ii) Name of the Database
    (iii) Time stamp of last backup recorded on the tape
    (iv) Number of Backups performed with the tape

Before writing data to tape if the label is Red to check the following
(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)
If Expiration_period = 0 days, the Volume is not locked at all and can be over written
• If a lock occurs on a tape, it automatically expires at midnight.

(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape locks?
(A) There are 2 types of locks
    (i) Physical lock check: Physical lock check is done by checking tape label parameter Expir_period. If the number of days passed since the tape was last used is less than value of parameter Expir_period, then the tape is physically locked.
    (ii) Logical lock check: This value is derived from the time stamp written to tables SDBAH, SDBAD

(Q) What are the various tape selection processes?
(A) (i) Auto tape selection BRBACKUP and BRARCH
    (ii) Manual selection by the Operator
    (iii)By external tool

(Q) What is the option to select the tapes automatically by BRBACKUP and BRARCH?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE

(Q) What is the command to check which tape will be automatically selected?
(A) BR Backup |  BRARCHIVE –Q | Query { check }

(Q) How do we switch off automatic tape Management?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the value “SCRATCH”

(Q) How do I turnoff the tape management performed by SAP tools?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
                                    OR
       UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.

(Q) How do we verify Backups?
(A) Verification of backups is of 2 types
     (i) Tape Verification: The files are restored file by file and compared with original files to verify if the backup is redable.
     (ii) DB Block consistency: This checks the Database block by block using Oracle tool “DBVERIFY” to identify and restore from bad blocks.
PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of Archive log Backup
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification + DB Block Consistancy Check)

STATUS OF OFFLINE REDO LOG FILES:
(1) During Backup to tape= ARCHIVE
(2) First Status= SAVED
SECOND STATUS=COPIED
AFTER DELETION = DELETED
During BACKUP TO Disk = DISK
NOTE: All the above status are recorded in ARCH<SID>.log

ANALYZING Database PROBLEMS:
(1) Check Database alert log and trace files belonging to Bgprocess (SAP Trace/Background)
(i) Check for status of Database = Available or NOT Available
(ii) Check for Error = Media or User error
(iii) Check for corrupted files and file types = Data, Cofile, Online Redo log Files
(iv) Check if Software or Hardware Mirroring = Available or Not
(2) Safest method is to perform a complete Offline Backup before the files are copied back in restore place using BR Backup or any Backup Tools.
(3) The above step is Very Important for Point In Time Recovery or for Database rest because these stratagies always involve Data loss.
(4) Save Offline Redo Log Files in ORARCH Directory using BRArchive only.
(5) To check the reliability of Backup strategy , run regularly restoration report in SAP using DB12
(6) The above report is used to find out which backup to use for recovery as well as it displays information about last successful Backup.
(7) If the list of RedoLog files after the last Database Backup is too long, then perform a complete Database Backup.


Will update soon... Check next post...

Sap Database Notes -2

Sap Database Notes 2:-

BR Tools (Used for entire backup administration)
• BR  tools is a package name which contain various tools.
• These tools are divided into various ways based on their performance.
Note: If you get an error message while calling BR tools then your version might be older. (Less than 4.7).
• These are two modes while calling the various options in BR Tools.
 -Main Menu Mode
 -Quick Mode

BRConnect: is must, be called in main menu mode.
• ‘BRSPACE’ and ‘BRRECOVER’ always make a ‘CONNECT/AS SYS DBA’, because their actions require SYSDBA privilege.
• Once you connect a SYSDBA, if you do not want to enter a user name, password, while calling ‘SQL* PLUS call the interactive program using the command ‘SQLPLUS/NO LOG’
• ‘SQLSTARPLUS by default connects to the db defined in enhancement oracle database.
• Changing the password for SAP user is done using ‘BR CONNECT’
Note: Passwords for DB user ‘SAP SCHEMA ID’ or ‘SAPR3’ should not be changed using oracle methods.

Database Transaction Codes:
1. DB13: Schedule backups and other administrative jobs.
Note: ‘DB13C’ : This is used to schedule backups and admin activities centrally for all SAP systems and database.
2. DB14: To check the status and logs of all database operations.
3. DB16: Overview of database system checks.
4. Db17: View and maintain check conditions for database system check.
5. DB20: Maintain Statistics.
6. DB21: Configuration of Statistics
7. DB26: Database parameter overview with history.
8. DB02: Table and index monitor
9. ST04: Database performance monitor
10. RZ20 – DB Alert Monitor (Optional)
11. DB13 is used as an interface to schedule back ground jobs starting with DBA*. These background jobs look into table ‘SDBAC’
12. SPfile.ora is server side initialization parameter file (oracle database server)
• Do not make parameter changes on oracle level, because if only changes parameter values in SPfile, hence always use BR* tools, because it monitors consistency by copying the contents in both files.
• The transaction code DB02 and ST04 still use ‘init<SID>.ora’
• SAP installation tool do not create SPfile. SPfile is created using SQL*plus ‘CREATE SPFILE’.
• SPfile is stored in ‘oracle_home’ directory same as ‘init<SID>_ora’.
• RZ20: Database alert monitor.

Start and Stop Commands
BRSPACE_C FORCE_F dbstand_S <State>
BRSPACE_C FORCE_F dbstand_S <State>

Starting of Database
1. No mount = reads parameter files, database instance started and allocated memory buffers.
2. Mount face: opens cofiles.
3. Open: opens all data files and online redo log files.
• Mount face is used for database recovery, for changing archive log mode, for removing and moving data file and also for adding, dropping, renaming online redo log files.
• Do not use ‘BRCONNECT’ to start and shutdown database, instead use ‘BRSPACE’ because it tried logfile actions.
• No mount space is used for creation of database and for recreation of lost cofiles.

Stopping of Database
1. Normal: Oracle waits till all users are disconnected from the database. All files are closed and database is dis mounted and instance is shutdown.
2. Transactional: Oracle waits till all open transactional to finish and then it disconnects users and shutdown database.
3. Immedaite: No new connections and transaction are allowed. PMON ends all user sessions and performance roll back of any open transactions then only shutdown database.
4. Abort: no new connection and transactional allowed. No roll back of open transactions. Users are disconnected and oracle processes are stopped.
Note: With all the above first three methods, database is shutdown in a consistent state and does not need recovery at next restart.
• Default mode for oracle shutdown is normal
• Oracle commands shutdown immediate and shutdown abort stage oracle instance even if work process still has connections of database.
• Oracle info messages, warnings and errors are logged in oracle dump files i.e. background, user trace which is located in ‘SAPDATA_NAME’ directory.
• Background directory store alert log file. Alert_<SID>.log. Whereas user directory store trace files written on behalf of shadow process.

(Q) Why do I need ‘SPFILE<SID>.ora’ even though I have ‘init<SID>.ora ?
(A) From Oracle 9.i ‘init<SID>.ora’ is replaced by ‘SPfile<SID>.ora or ‘SPfile.ora.

(Q) If a file is missing from the chain of offline Redo log files, then what we’ll do ?
(A) We have to perform a restore and recovery of Database. Recovery is performed using the method “Point In Time” by which all the Offline Redo log files older than the last one is used for recovery.

(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
    (ii) Manually dropping Database Objects.
    (iii) Manually dropping Application Objects.

(Q) Is Point in Time Recovery a standard Solution for logical errors in production system ?
(A) NO

(Q) Where do we use the Point IN Time Recovery ?
(A) Point in Time is very critical in a system landscape with Data Dependencies between Systems.

(Q) How do we verify Consistency of Oracle Database ?
(A) By performing by a logical data check.

(Q) Why do we need to perform a logical check ?
(A) In order to verify corrupted Data blocks (Ora – 1578)

(Q) Why do we need to perform a physical Data check ?
(A) To verify the tapes used for Database backup.

(Q) How often we perform Online Backup and Offline Backups ?
(A) Online Backup = Daily
    Offline Backup = Once in a Week

(Q) How do we perform Backup of Offline Redo log files ?
 (A) (i) Backup of every Offline Redo log files is taken TWICE on separate tapes before the    files are  deleted from Archive Directory.
   (ii) Perform additional Backups after each system upgrade and also if Database structure is Modified.

(Q) What are the tools used by Oracle Admin in an SAP System for Backups ?
(A) Database Backups = BRBACKUP
    Offline Redo log files = BRARCHIVE

(Q) What are the occasions in which changes to Tile Structure of Database is made ?
(A) 1) When a Data file is added
    2) When a Data file is moved to a Different Location.
    3) When a Table Space and its Data files are reorganized.

(Q) What are the various Backup types?
(A) There are 5 Backup types
    1) Online Backup
    2) Offline Backup
    3) Complete Backup
    4) Incremental Backup
    5) Partial Backup

Complete Backup:
All the Data in the Database is backed up. Complete Backup is again divided into 2 Types
1) Full Backup:- After data backup an additional information , i.e. Catalog is Written into Cofile by Recovery Manager.
2) Whole Backup:- It creates a Backup of all the data without the Catalog.

Incremental Backup:
i) This Backup Is used for taking needed Data blocks that have changed since the time of Full Backup.
ii) During Incremental Backup the amount of data to be backed up to get shorten and not for The Backup time.
iii) During Incremental Backup is only based on previous Full Backup.

(Q) If the Corresponding Full Backup is already overwritten and can I use Incremental Backup ?
(A) NO, Incremental Backup is useless.

(Q) Can I perform a Backup of Individual data files using Incremental Backups ?
(A) NO

Partial Backup:
The backup of Database in smaller parts is called as Partial Backup.
NOTE:- Sum of individual partial Backups form an Entire Complete Backup.
NOTE:- Recovery Backup using partial Backup data is very much time consuming, because it needs all oldest Backup Offline and Online recovery Processes.

(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP
     i) Complete Backup:- Restore missing Database files from complete Backup, Restore Offline Redo Log files writte during and after this Backup.
     ii) Incremental Backup:- Restore missing Data files from last Full Backup, update them with restore from last Incremental Backup.
     iii)Partial Backup:- Replace complete backup with partial Backups , we need a longer time to perform a recovery from media crash.

TOOLS:
(1) BRBACKUP: Backup of Oracle Data files , Cofiles, Db Redolog files, Oracle Software Directories and SAP System directories.
(2) BRARCHIVE: Backup of Redo log files.
(3) BRRESTORE: Restore all Db files and Offline Redo log files
(4) BRRECOVER: Checks for Database for missing files , it calls BRRESTORE for restoration of missing Data and Offline redo log files.

NOTE:
(1) Both BRBACKUP and BRARCHIVE records their actions in log files, BRRESTORE uses above logs for restoration of missing files.
(2) Both BRBACKUP and BRARCHIVE supports Backup to Tapes, Disks as well as Backups with Third party Tools.
Important Parameters for Configuration of BRBACKUP and BRARCHIVE(Init<SID>.SAP)
(A) Backup_mode =   All(Whole)
            Full(full backup)
            Incremental Backup
            Partial(Table space name, Dir path, File id.s)
(B) Backup_type = Online and Offline Backup
(C) Backup_dev_type = Tape or Disk or External Interface
(D) Util_file = BACKINT(External Backup program through Interface BACKINT)
(E) TAPE_COPY_CMD = CPIO or DD or RMAN(Copying files from Disk to Tapes)
NOTE:
 DD = Raw devices are copied with this option
 CPIO = Directories are copied with this option
The Profiles init<SID>.ora and init<SID..sap and Summary and detail logs are copied with this CPIO.
(F) DISK_COPY_CMD = cp, copy (Copying files to disks)
    Cp is used in UNIX
    Copy is used in WINDOWS
(G) Expire_period = (1)We have to specify the expiry period of a tape
        (2)Tape_use_count = Max number of times, volumes can be written   to tapes.
(H) Volume_Backup: Names of volumes used for backups(BRBACKUP)
    Volume_Archive: Names of volume used for backups of Offline redo log files(BRARCHIVE)
(I)Tape_Address = Identifies device address of tapes.
(J) DD_Flags and DD_IN_FLAGS= Specify block ( Size of at least 64kb)

Integration of Oracle Recovery Manager (RMAN) into SAP Tools:
(1) RMAN is Default Oracle Backup and Restore Program
(2) RMAN executables run in Client process and connection to Database
(3) Backup with RMAN is done in 2 ways
(i) RMAN classifies complete backup level 0 Backup
(ii) Level 0 serves as basis for Level 1 (Incremental)
(4) Backups performed without RMAN call CPIO or DD to save Database files to tape
NOTE: RMAN always writes the information in a separate file recovery catalog

(Q) Can RMAN recover the Database automatically without Recovery catalog ?
(A) NO

(5) RMAN performs Backups directly to Disks and not to Tapes
(6) RMAN uses Oracle shadow process to check for data block corruptions and filters those blocks and then writes used blocks to backup media.
(7) The Parameter to set the controls of copying data to Backup media to RMAN is TAPE_COPY_CMD or DISK_COPY_CMD= RMAN_DISK (RMAN Value)
(8) Advantages of using RMAN:
I) All blocks are checked for block corruption to ensure the consistency state.
II) Only used blocks are copied to Backup media
III) Empty blocks used before are always backed up

(Q) Is whole Backup can be consider as level 0 Backup ?
(A) Whole backup is not level 0 Backup and can’t be used as basis for Incremental Backup.

(9) RMAN writes Header, tailer and blocks of atleast one Database or one raw disk file to a file called SAVESETS
(10) Using SAVESETS speeds up Backup Process.

PREPARATORY RUN:
    Preparatory run is used to determine the optimal SAVESET distribution of data files we want to backup.
(Q) Why do we need to perform a preparatory run ?
(A) If Backup with RMAN is supposed to form sets then we need to run Preparatory run.
     Preparatory run can be run from DB13 prepare for RMAN Backup.
     No Backup is created during preparation run, only estimates Compression rate of BRTOOLS to compress the files and to determine compressed and decompressed file sizes.
     It is recommended to perform preparatory run per one Backup cycle.


Will update soon... Check next post...